VDB

HCSEC-2024-24

HCSEC-2024-24 PUBLISHED

**Bulletin ID:** HCSEC-2024-24 **Affected Products / Versions:** Consul Community Edition from 1.4.1 up to 1.19.2; fixed in 1.20.0. Consul Enterprise from 1.4.1 up to 1.19.2, 1.18.4, 1.15.14; fixed in 1.20.0, 1.19.3, 1.18.5, and 1.15.15. **Publication Date:** October 30, 2024 **Summary** A vulnerability was identified in Consul and Consul Enterprise such that the server response did not explicitly set a `Content-Type` HTTP header, allowing user-provided inputs to be misinterpreted and lead to reflected XSS. This vulnerability, identified as CVE-2024-10086, is fixed in Consul Community Edition 1.20.0 and Consul Enterprise 1.20.0, 1.19.3, 1.18.5, and 1.15.15. **Background** Consul provides an HTTP server, using Go’s [net/http package](https://pkg.go.dev/net/http), from which the Consul [API](https://developer.hashicorp.com/consul/api-docs) and [web UI](https://developer.hashicorp.com/consul/tutorials/archive/get-started-explore-the-ui) are served. When the [Content-Type HTTP header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Type) is not explicitly set in an HTTP response, Go’s net/http attempts to [guess and set the Content-Type](https://cs.opensource.google/go/go/+/master:src/net/http/fs.go;l=288;drc=959b3fd4265d7e4efb18af454cd18799ed70b8fe?q=DetectContentType&ss=go%2Fgo:src%2Fnet%2Fhttp%2F) of the HTTP response based on the HTTP request body content value. **Details** The Consul HTTP server response did not explicitly specify a Content-Type header, which allowed user-provided inputs to be interpreted as a different content-type. This vulnerability can be exploited by attackers to perform reflected XSS attacks, leading to potential account takeovers. **Remediation** Customers should evaluate the risk associated with this issue and consider upgrading to Consul 1.20.0, 1.19.3, 1.18.5, 1.15.15 or newer. Please refer to [Upgrading Consul](https://developer.hashicorp.com/consul/docs/upgrading) for general guidance and version-specific upgrade notes. **Acknowledgement** This issue was identified by HashiCorp‘s external security assessment partner and Consul engineering team. *We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see [https://hashicorp.com/security](https://hashicorp.com/security).*

Timeline

  • Oct 30, 2024 CVE Published

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›